/*
 * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
 * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 */

package javax.management;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.security.Permission;

/**
 * <p>Permission controlling access to MBeanServer operations.  If a
 * security manager has been set using {@link
 * System#setSecurityManager}, most operations on the MBean Server
 * require that the caller's permissions imply an MBeanPermission
 * appropriate for the operation.  This is described in detail in the
 * documentation for the {@link MBeanServer} interface.</p>
 *
 * <p>As with other {@link Permission} objects, an MBeanPermission can
 * represent either a permission that you <em>have</em> or a
 * permission that you <em>need</em>.  When a sensitive operation is
 * being checked for permission, an MBeanPermission is constructed
 * representing the permission you need.  The operation is only
 * allowed if the permissions you have {@linkplain #implies imply} the
 * permission you need.</p>
 *
 * <p>An MBeanPermission contains four items of information:</p>
 *
 * <ul>
 *
 * <li><p>The <em>action</em>.  For a permission you need,
 * this is one of the actions in the list <a
 * href="#action-list">below</a>.  For a permission you have, this is
 * a comma-separated list of those actions, or <code>*</code>,
 * representing all actions.</p>
 *
 * <p>The action is returned by {@link #getActions()}.</p>
 *
 * <li><p>The <em>class name</em>.</p>
 *
 * <p>For a permission you need, this is the class name of an MBean
 * you are accessing, as returned by {@link
 * MBeanServer#getMBeanInfo(ObjectName)
 * MBeanServer.getMBeanInfo(name)}.{@link MBeanInfo#getClassName()
 * getClassName()}.  Certain operations do not reference a class name,
 * in which case the class name is null.</p>
 *
 * <p>For a permission you have, this is either empty or a <em>class
 * name pattern</em>.  A class name pattern is a string following the
 * Java conventions for dot-separated class names.  It may end with
 * "<code>.*</code>" meaning that the permission grants access to any
 * class that begins with the string preceding "<code>.*</code>".  For
 * instance, "<code>javax.management.*</code>" grants access to
 * <code>javax.management.MBeanServerDelegate</code> and
 * <code>javax.management.timer.Timer</code>, among other classes.</p>
 *
 * <p>A class name pattern can also be empty or the single character
 * "<code>*</code>", both of which grant access to any class.</p>
 *
 * <li><p>The <em>member</em>.</p>
 *
 * <p>For a permission you need, this is the name of the attribute or
 * operation you are accessing.  For operations that do not reference
 * an attribute or operation, the member is null.</p>
 *
 * <p>For a permission you have, this is either the name of an attribute
 * or operation you can access, or it is empty or the single character
 * "<code>*</code>", both of which grant access to any member.</p>
 *
 * <li id="MBeanName"><p>The <em>object name</em>.</p>
 *
 * <p>For a permission you need, this is the {@link ObjectName} of the
 * MBean you are accessing.  For operations that do not reference a
 * single MBean, it is null.  It is never an object name pattern.</p>
 *
 * <p>For a permission you have, this is the {@link ObjectName} of the
 * MBean or MBeans you can access.  It may be an object name pattern
 * to grant access to all MBeans whose names match the pattern.  It
 * may also be empty, which grants access to all MBeans whatever their
 * name.</p>
 *
 * </ul>
 *
 * <p>If you have an MBeanPermission, it allows operations only if all
 * four of the items match.</p>
 *
 * <p>The class name, member, and object name can be written together
 * as a single string, which is the <em>name</em> of this permission.
 * The name of the permission is the string returned by {@link
 * Permission#getName() getName()}.  The format of the string is:</p>
 *
 * <blockquote>
 * <code>className#member[objectName]</code>
 * </blockquote>
 *
 * <p>The object name is written using the usual syntax for {@link
 * ObjectName}.  It may contain any legal characters, including
 * <code>]</code>.  It is terminated by a <code>]</code> character
 * that is the last character in the string.</p>
 *
 * <p>One or more of the <code>className</code>, <code>member</code>,
 * or <code>objectName</code> may be omitted.  If the
 * <code>member</code> is omitted, the <code>#</code> may be too (but
 * does not have to be).  If the <code>objectName</code> is omitted,
 * the <code>[]</code> may be too (but does not have to be).  It is
 * not legal to omit all three items, that is to have a <em>name</em>
 * that is the empty string.</p>
 *
 * <p>One or more of the <code>className</code>, <code>member</code>,
 * or <code>objectName</code> may be the character "<code>-</code>",
 * which is equivalent to a null value.  A null value is implied by
 * any value (including another null value) but does not imply any
 * other value.</p>
 *
 * <p><a name="action-list">The possible actions are these:</a></p>
 *
 * <ul>
 * <li>addNotificationListener</li>
 * <li>getAttribute</li>
 * <li>getClassLoader</li>
 * <li>getClassLoaderFor</li>
 * <li>getClassLoaderRepository</li>
 * <li>getDomains</li>
 * <li>getMBeanInfo</li>
 * <li>getObjectInstance</li>
 * <li>instantiate</li>
 * <li>invoke</li>
 * <li>isInstanceOf</li>
 * <li>queryMBeans</li>
 * <li>queryNames</li>
 * <li>registerMBean</li>
 * <li>removeNotificationListener</li>
 * <li>setAttribute</li>
 * <li>unregisterMBean</li>
 * </ul>
 *
 * <p>In a comma-separated list of actions, spaces are allowed before
 * and after each action.</p>
 *
 * @since 1.5
 */
public class MBeanPermission extends Permission {

  private static final long serialVersionUID = -2416928705275160661L;

  /**
   * Actions list.
   */
  private static final int AddNotificationListener = 0x00001;
  private static final int GetAttribute = 0x00002;
  private static final int GetClassLoader = 0x00004;
  private static final int GetClassLoaderFor = 0x00008;
  private static final int GetClassLoaderRepository = 0x00010;
  private static final int GetDomains = 0x00020;
  private static final int GetMBeanInfo = 0x00040;
  private static final int GetObjectInstance = 0x00080;
  private static final int Instantiate = 0x00100;
  private static final int Invoke = 0x00200;
  private static final int IsInstanceOf = 0x00400;
  private static final int QueryMBeans = 0x00800;
  private static final int QueryNames = 0x01000;
  private static final int RegisterMBean = 0x02000;
  private static final int RemoveNotificationListener = 0x04000;
  private static final int SetAttribute = 0x08000;
  private static final int UnregisterMBean = 0x10000;

  /**
   * No actions.
   */
  private static final int NONE = 0x00000;

  /**
   * All actions.
   */
  private static final int ALL =
      AddNotificationListener |
          GetAttribute |
          GetClassLoader |
          GetClassLoaderFor |
          GetClassLoaderRepository |
          GetDomains |
          GetMBeanInfo |
          GetObjectInstance |
          Instantiate |
          Invoke |
          IsInstanceOf |
          QueryMBeans |
          QueryNames |
          RegisterMBean |
          RemoveNotificationListener |
          SetAttribute |
          UnregisterMBean;

  /**
   * The actions string.
   */
  private String actions;

  /**
   * The actions mask.
   */
  private transient int mask;

  /**
   * The classname prefix that must match.  If null, is implied by any
   * classNamePrefix but does not imply any non-null classNamePrefix.
   */
  private transient String classNamePrefix;

  /**
   * True if classNamePrefix must match exactly.  Otherwise, the
   * className being matched must start with classNamePrefix.
   */
  private transient boolean classNameExactMatch;

  /**
   * The member that must match.  If null, is implied by any member
   * but does not imply any non-null member.
   */
  private transient String member;

  /**
   * The objectName that must match.  If null, is implied by any
   * objectName but does not imply any non-null objectName.
   */
  private transient ObjectName objectName;

  /**
   * Parse <code>actions</code> parameter.
   */
  private void parseActions() {

    int mask;

    if (actions == null) {
      throw new IllegalArgumentException("MBeanPermission: " +
          "actions can't be null");
    }
    if (actions.equals("")) {
      throw new IllegalArgumentException("MBeanPermission: " +
          "actions can't be empty");
    }

    mask = getMask(actions);

    if ((mask & ALL) != mask) {
      throw new IllegalArgumentException("Invalid actions mask");
    }
    if (mask == NONE) {
      throw new IllegalArgumentException("Invalid actions mask");
    }
    this.mask = mask;
  }

  /**
   * Parse <code>name</code> parameter.
   */
  private void parseName() {
    String name = getName();

    if (name == null) {
      throw new IllegalArgumentException("MBeanPermission name " +
          "cannot be null");
    }

    if (name.equals("")) {
      throw new IllegalArgumentException("MBeanPermission name " +
          "cannot be empty");
    }

        /* The name looks like "class#member[objectname]".  We subtract
           elements from the right as we parse, so after parsing the
           objectname we have "class#member" and after parsing the
           member we have "class".  Each element is optional.  */

    // Parse ObjectName

    int openingBracket = name.indexOf("[");
    if (openingBracket == -1) {
      // If "[on]" missing then ObjectName("*:*")
      //
      objectName = ObjectName.WILDCARD;
    } else {
      if (!name.endsWith("]")) {
        throw new IllegalArgumentException("MBeanPermission: " +
            "The ObjectName in the " +
            "target name must be " +
            "included in square " +
            "brackets");
      } else {
        // Create ObjectName
        //
        try {
          // If "[]" then ObjectName("*:*")
          //
          String on = name.substring(openingBracket + 1,
              name.length() - 1);
          if (on.equals("")) {
            objectName = ObjectName.WILDCARD;
          } else if (on.equals("-")) {
            objectName = null;
          } else {
            objectName = new ObjectName(on);
          }
        } catch (MalformedObjectNameException e) {
          throw new IllegalArgumentException("MBeanPermission: " +
              "The target name does " +
              "not specify a valid " +
              "ObjectName", e);
        }
      }

      name = name.substring(0, openingBracket);
    }

    // Parse member

    int poundSign = name.indexOf("#");

    if (poundSign == -1) {
      setMember("*");
    } else {
      String memberName = name.substring(poundSign + 1);
      setMember(memberName);
      name = name.substring(0, poundSign);
    }

    // Parse className

    setClassName(name);
  }

  /**
   * Assign fields based on className, member, and objectName
   * parameters.
   */
  private void initName(String className, String member,
      ObjectName objectName) {
    setClassName(className);
    setMember(member);
    this.objectName = objectName;
  }

  private void setClassName(String className) {
    if (className == null || className.equals("-")) {
      classNamePrefix = null;
      classNameExactMatch = false;
    } else if (className.equals("") || className.equals("*")) {
      classNamePrefix = "";
      classNameExactMatch = false;
    } else if (className.endsWith(".*")) {
      // Note that we include the "." in the required prefix
      classNamePrefix = className.substring(0, className.length() - 1);
      classNameExactMatch = false;
    } else {
      classNamePrefix = className;
      classNameExactMatch = true;
    }
  }

  private void setMember(String member) {
    if (member == null || member.equals("-")) {
      this.member = null;
    } else if (member.equals("")) {
      this.member = "*";
    } else {
      this.member = member;
    }
  }

  /**
   * <p>Create a new MBeanPermission object with the specified target name
   * and actions.</p>
   *
   * <p>The target name is of the form
   * "<code>className#member[objectName]</code>" where each part is
   * optional.  It must not be empty or null.</p>
   *
   * <p>The actions parameter contains a comma-separated list of the
   * desired actions granted on the target name.  It must not be
   * empty or null.</p>
   *
   * @param name the triplet "className#member[objectName]".
   * @param actions the action string.
   * @throws IllegalArgumentException if the <code>name</code> or <code>actions</code> is invalid.
   */
  public MBeanPermission(String name, String actions) {
    super(name);

    parseName();

    this.actions = actions;
    parseActions();
  }

  /**
   * <p>Create a new MBeanPermission object with the specified target name
   * (class name, member, object name) and actions.</p>
   *
   * <p>The class name, member and object name parameters define a
   * target name of the form
   * "<code>className#member[objectName]</code>" where each part is
   * optional.  This will be the result of {@link #getName()} on the
   * resultant MBeanPermission.</p>
   *
   * <p>The actions parameter contains a comma-separated list of the
   * desired actions granted on the target name.  It must not be
   * empty or null.</p>
   *
   * @param className the class name to which this permission applies. May be null or
   * <code>"-"</code>, which represents a class name that is implied by any class name but does not
   * imply any other class name.
   * @param member the member to which this permission applies.  May be null or <code>"-"</code>,
   * which represents a member that is implied by any member but does not imply any other member.
   * @param objectName the object name to which this permission applies.  May be null, which
   * represents an object name that is implied by any object name but does not imply any other
   * object name.
   * @param actions the action string.
   */
  public MBeanPermission(String className,
      String member,
      ObjectName objectName,
      String actions) {

    super(makeName(className, member, objectName));
    initName(className, member, objectName);

    this.actions = actions;
    parseActions();
  }

  private static String makeName(String className, String member,
      ObjectName objectName) {
    final StringBuilder name = new StringBuilder();
    if (className == null) {
      className = "-";
    }
    name.append(className);
    if (member == null) {
      member = "-";
    }
    name.append("#" + member);
    if (objectName == null) {
      name.append("[-]");
    } else {
      name.append("[").append(objectName.getCanonicalName()).append("]");
    }

        /* In the interests of legibility for Permission.toString(), we
           transform the empty string into "*".  */
    if (name.length() == 0) {
      return "*";
    } else {
      return name.toString();
    }
  }

  /**
   * Returns the "canonical string representation" of the actions. That is,
   * this method always returns present actions in alphabetical order.
   *
   * @return the canonical string representation of the actions.
   */
  public String getActions() {

    if (actions == null) {
      actions = getActions(this.mask);
    }

    return actions;
  }

  /**
   * Returns the "canonical string representation"
   * of the actions from the mask.
   */
  private static String getActions(int mask) {
    final StringBuilder sb = new StringBuilder();
    boolean comma = false;

    if ((mask & AddNotificationListener) == AddNotificationListener) {
      comma = true;
      sb.append("addNotificationListener");
    }

    if ((mask & GetAttribute) == GetAttribute) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("getAttribute");
    }

    if ((mask & GetClassLoader) == GetClassLoader) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("getClassLoader");
    }

    if ((mask & GetClassLoaderFor) == GetClassLoaderFor) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("getClassLoaderFor");
    }

    if ((mask & GetClassLoaderRepository) == GetClassLoaderRepository) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("getClassLoaderRepository");
    }

    if ((mask & GetDomains) == GetDomains) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("getDomains");
    }

    if ((mask & GetMBeanInfo) == GetMBeanInfo) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("getMBeanInfo");
    }

    if ((mask & GetObjectInstance) == GetObjectInstance) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("getObjectInstance");
    }

    if ((mask & Instantiate) == Instantiate) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("instantiate");
    }

    if ((mask & Invoke) == Invoke) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("invoke");
    }

    if ((mask & IsInstanceOf) == IsInstanceOf) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("isInstanceOf");
    }

    if ((mask & QueryMBeans) == QueryMBeans) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("queryMBeans");
    }

    if ((mask & QueryNames) == QueryNames) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("queryNames");
    }

    if ((mask & RegisterMBean) == RegisterMBean) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("registerMBean");
    }

    if ((mask & RemoveNotificationListener) == RemoveNotificationListener) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("removeNotificationListener");
    }

    if ((mask & SetAttribute) == SetAttribute) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("setAttribute");
    }

    if ((mask & UnregisterMBean) == UnregisterMBean) {
      if (comma) {
        sb.append(',');
      } else {
        comma = true;
      }
      sb.append("unregisterMBean");
    }

    return sb.toString();
  }

  /**
   * Returns the hash code value for this object.
   *
   * @return a hash code value for this object.
   */
  public int hashCode() {
    return this.getName().hashCode() + this.getActions().hashCode();
  }

  /**
   * Converts an action String to an integer action mask.
   *
   * @param action the action string.
   * @return the action mask.
   */
  private static int getMask(String action) {

        /*
         * BE CAREFUL HERE! PARSING ORDER IS IMPORTANT IN THIS ALGORITHM.
         *
         * The 'string length' test must be performed for the lengthiest
         * strings first.
         *
         * In this permission if the "unregisterMBean" string length test is
         * performed after the "registerMBean" string length test the algorithm
         * considers the 'unregisterMBean' action as being the 'registerMBean'
         * action and a parsing error is returned.
         */

    int mask = NONE;

    if (action == null) {
      return mask;
    }

    if (action.equals("*")) {
      return ALL;
    }

    char[] a = action.toCharArray();

    int i = a.length - 1;
    if (i < 0) {
      return mask;
    }

    while (i != -1) {
      char c;

      // skip whitespace
      while ((i != -1) && ((c = a[i]) == ' ' ||
          c == '\r' ||
          c == '\n' ||
          c == '\f' ||
          c == '\t')) {
        i--;
      }

      // check for the known strings
      int matchlen;

      if (i >= 25 && /* removeNotificationListener */
          (a[i - 25] == 'r') &&
          (a[i - 24] == 'e') &&
          (a[i - 23] == 'm') &&
          (a[i - 22] == 'o') &&
          (a[i - 21] == 'v') &&
          (a[i - 20] == 'e') &&
          (a[i - 19] == 'N') &&
          (a[i - 18] == 'o') &&
          (a[i - 17] == 't') &&
          (a[i - 16] == 'i') &&
          (a[i - 15] == 'f') &&
          (a[i - 14] == 'i') &&
          (a[i - 13] == 'c') &&
          (a[i - 12] == 'a') &&
          (a[i - 11] == 't') &&
          (a[i - 10] == 'i') &&
          (a[i - 9] == 'o') &&
          (a[i - 8] == 'n') &&
          (a[i - 7] == 'L') &&
          (a[i - 6] == 'i') &&
          (a[i - 5] == 's') &&
          (a[i - 4] == 't') &&
          (a[i - 3] == 'e') &&
          (a[i - 2] == 'n') &&
          (a[i - 1] == 'e') &&
          (a[i] == 'r')) {
        matchlen = 26;
        mask |= RemoveNotificationListener;
      } else if (i >= 23 && /* getClassLoaderRepository */
          (a[i - 23] == 'g') &&
          (a[i - 22] == 'e') &&
          (a[i - 21] == 't') &&
          (a[i - 20] == 'C') &&
          (a[i - 19] == 'l') &&
          (a[i - 18] == 'a') &&
          (a[i - 17] == 's') &&
          (a[i - 16] == 's') &&
          (a[i - 15] == 'L') &&
          (a[i - 14] == 'o') &&
          (a[i - 13] == 'a') &&
          (a[i - 12] == 'd') &&
          (a[i - 11] == 'e') &&
          (a[i - 10] == 'r') &&
          (a[i - 9] == 'R') &&
          (a[i - 8] == 'e') &&
          (a[i - 7] == 'p') &&
          (a[i - 6] == 'o') &&
          (a[i - 5] == 's') &&
          (a[i - 4] == 'i') &&
          (a[i - 3] == 't') &&
          (a[i - 2] == 'o') &&
          (a[i - 1] == 'r') &&
          (a[i] == 'y')) {
        matchlen = 24;
        mask |= GetClassLoaderRepository;
      } else if (i >= 22 && /* addNotificationListener */
          (a[i - 22] == 'a') &&
          (a[i - 21] == 'd') &&
          (a[i - 20] == 'd') &&
          (a[i - 19] == 'N') &&
          (a[i - 18] == 'o') &&
          (a[i - 17] == 't') &&
          (a[i - 16] == 'i') &&
          (a[i - 15] == 'f') &&
          (a[i - 14] == 'i') &&
          (a[i - 13] == 'c') &&
          (a[i - 12] == 'a') &&
          (a[i - 11] == 't') &&
          (a[i - 10] == 'i') &&
          (a[i - 9] == 'o') &&
          (a[i - 8] == 'n') &&
          (a[i - 7] == 'L') &&
          (a[i - 6] == 'i') &&
          (a[i - 5] == 's') &&
          (a[i - 4] == 't') &&
          (a[i - 3] == 'e') &&
          (a[i - 2] == 'n') &&
          (a[i - 1] == 'e') &&
          (a[i] == 'r')) {
        matchlen = 23;
        mask |= AddNotificationListener;
      } else if (i >= 16 && /* getClassLoaderFor */
          (a[i - 16] == 'g') &&
          (a[i - 15] == 'e') &&
          (a[i - 14] == 't') &&
          (a[i - 13] == 'C') &&
          (a[i - 12] == 'l') &&
          (a[i - 11] == 'a') &&
          (a[i - 10] == 's') &&
          (a[i - 9] == 's') &&
          (a[i - 8] == 'L') &&
          (a[i - 7] == 'o') &&
          (a[i - 6] == 'a') &&
          (a[i - 5] == 'd') &&
          (a[i - 4] == 'e') &&
          (a[i - 3] == 'r') &&
          (a[i - 2] == 'F') &&
          (a[i - 1] == 'o') &&
          (a[i] == 'r')) {
        matchlen = 17;
        mask |= GetClassLoaderFor;
      } else if (i >= 16 && /* getObjectInstance */
          (a[i - 16] == 'g') &&
          (a[i - 15] == 'e') &&
          (a[i - 14] == 't') &&
          (a[i - 13] == 'O') &&
          (a[i - 12] == 'b') &&
          (a[i - 11] == 'j') &&
          (a[i - 10] == 'e') &&
          (a[i - 9] == 'c') &&
          (a[i - 8] == 't') &&
          (a[i - 7] == 'I') &&
          (a[i - 6] == 'n') &&
          (a[i - 5] == 's') &&
          (a[i - 4] == 't') &&
          (a[i - 3] == 'a') &&
          (a[i - 2] == 'n') &&
          (a[i - 1] == 'c') &&
          (a[i] == 'e')) {
        matchlen = 17;
        mask |= GetObjectInstance;
      } else if (i >= 14 && /* unregisterMBean */
          (a[i - 14] == 'u') &&
          (a[i - 13] == 'n') &&
          (a[i - 12] == 'r') &&
          (a[i - 11] == 'e') &&
          (a[i - 10] == 'g') &&
          (a[i - 9] == 'i') &&
          (a[i - 8] == 's') &&
          (a[i - 7] == 't') &&
          (a[i - 6] == 'e') &&
          (a[i - 5] == 'r') &&
          (a[i - 4] == 'M') &&
          (a[i - 3] == 'B') &&
          (a[i - 2] == 'e') &&
          (a[i - 1] == 'a') &&
          (a[i] == 'n')) {
        matchlen = 15;
        mask |= UnregisterMBean;
      } else if (i >= 13 && /* getClassLoader */
          (a[i - 13] == 'g') &&
          (a[i - 12] == 'e') &&
          (a[i - 11] == 't') &&
          (a[i - 10] == 'C') &&
          (a[i - 9] == 'l') &&
          (a[i - 8] == 'a') &&
          (a[i - 7] == 's') &&
          (a[i - 6] == 's') &&
          (a[i - 5] == 'L') &&
          (a[i - 4] == 'o') &&
          (a[i - 3] == 'a') &&
          (a[i - 2] == 'd') &&
          (a[i - 1] == 'e') &&
          (a[i] == 'r')) {
        matchlen = 14;
        mask |= GetClassLoader;
      } else if (i >= 12 && /* registerMBean */
          (a[i - 12] == 'r') &&
          (a[i - 11] == 'e') &&
          (a[i - 10] == 'g') &&
          (a[i - 9] == 'i') &&
          (a[i - 8] == 's') &&
          (a[i - 7] == 't') &&
          (a[i - 6] == 'e') &&
          (a[i - 5] == 'r') &&
          (a[i - 4] == 'M') &&
          (a[i - 3] == 'B') &&
          (a[i - 2] == 'e') &&
          (a[i - 1] == 'a') &&
          (a[i] == 'n')) {
        matchlen = 13;
        mask |= RegisterMBean;
      } else if (i >= 11 && /* getAttribute */
          (a[i - 11] == 'g') &&
          (a[i - 10] == 'e') &&
          (a[i - 9] == 't') &&
          (a[i - 8] == 'A') &&
          (a[i - 7] == 't') &&
          (a[i - 6] == 't') &&
          (a[i - 5] == 'r') &&
          (a[i - 4] == 'i') &&
          (a[i - 3] == 'b') &&
          (a[i - 2] == 'u') &&
          (a[i - 1] == 't') &&
          (a[i] == 'e')) {
        matchlen = 12;
        mask |= GetAttribute;
      } else if (i >= 11 && /* getMBeanInfo */
          (a[i - 11] == 'g') &&
          (a[i - 10] == 'e') &&
          (a[i - 9] == 't') &&
          (a[i - 8] == 'M') &&
          (a[i - 7] == 'B') &&
          (a[i - 6] == 'e') &&
          (a[i - 5] == 'a') &&
          (a[i - 4] == 'n') &&
          (a[i - 3] == 'I') &&
          (a[i - 2] == 'n') &&
          (a[i - 1] == 'f') &&
          (a[i] == 'o')) {
        matchlen = 12;
        mask |= GetMBeanInfo;
      } else if (i >= 11 && /* isInstanceOf */
          (a[i - 11] == 'i') &&
          (a[i - 10] == 's') &&
          (a[i - 9] == 'I') &&
          (a[i - 8] == 'n') &&
          (a[i - 7] == 's') &&
          (a[i - 6] == 't') &&
          (a[i - 5] == 'a') &&
          (a[i - 4] == 'n') &&
          (a[i - 3] == 'c') &&
          (a[i - 2] == 'e') &&
          (a[i - 1] == 'O') &&
          (a[i] == 'f')) {
        matchlen = 12;
        mask |= IsInstanceOf;
      } else if (i >= 11 && /* setAttribute */
          (a[i - 11] == 's') &&
          (a[i - 10] == 'e') &&
          (a[i - 9] == 't') &&
          (a[i - 8] == 'A') &&
          (a[i - 7] == 't') &&
          (a[i - 6] == 't') &&
          (a[i - 5] == 'r') &&
          (a[i - 4] == 'i') &&
          (a[i - 3] == 'b') &&
          (a[i - 2] == 'u') &&
          (a[i - 1] == 't') &&
          (a[i] == 'e')) {
        matchlen = 12;
        mask |= SetAttribute;
      } else if (i >= 10 && /* instantiate */
          (a[i - 10] == 'i') &&
          (a[i - 9] == 'n') &&
          (a[i - 8] == 's') &&
          (a[i - 7] == 't') &&
          (a[i - 6] == 'a') &&
          (a[i - 5] == 'n') &&
          (a[i - 4] == 't') &&
          (a[i - 3] == 'i') &&
          (a[i - 2] == 'a') &&
          (a[i - 1] == 't') &&
          (a[i] == 'e')) {
        matchlen = 11;
        mask |= Instantiate;
      } else if (i >= 10 && /* queryMBeans */
          (a[i - 10] == 'q') &&
          (a[i - 9] == 'u') &&
          (a[i - 8] == 'e') &&
          (a[i - 7] == 'r') &&
          (a[i - 6] == 'y') &&
          (a[i - 5] == 'M') &&
          (a[i - 4] == 'B') &&
          (a[i - 3] == 'e') &&
          (a[i - 2] == 'a') &&
          (a[i - 1] == 'n') &&
          (a[i] == 's')) {
        matchlen = 11;
        mask |= QueryMBeans;
      } else if (i >= 9 && /* getDomains */
          (a[i - 9] == 'g') &&
          (a[i - 8] == 'e') &&
          (a[i - 7] == 't') &&
          (a[i - 6] == 'D') &&
          (a[i - 5] == 'o') &&
          (a[i - 4] == 'm') &&
          (a[i - 3] == 'a') &&
          (a[i - 2] == 'i') &&
          (a[i - 1] == 'n') &&
          (a[i] == 's')) {
        matchlen = 10;
        mask |= GetDomains;
      } else if (i >= 9 && /* queryNames */
          (a[i - 9] == 'q') &&
          (a[i - 8] == 'u') &&
          (a[i - 7] == 'e') &&
          (a[i - 6] == 'r') &&
          (a[i - 5] == 'y') &&
          (a[i - 4] == 'N') &&
          (a[i - 3] == 'a') &&
          (a[i - 2] == 'm') &&
          (a[i - 1] == 'e') &&
          (a[i] == 's')) {
        matchlen = 10;
        mask |= QueryNames;
      } else if (i >= 5 && /* invoke */
          (a[i - 5] == 'i') &&
          (a[i - 4] == 'n') &&
          (a[i - 3] == 'v') &&
          (a[i - 2] == 'o') &&
          (a[i - 1] == 'k') &&
          (a[i] == 'e')) {
        matchlen = 6;
        mask |= Invoke;
      } else {
        // parse error
        throw new IllegalArgumentException("Invalid permission: " +
            action);
      }

      // make sure we didn't just match the tail of a word
      // like "ackbarfaccept".  Also, skip to the comma.
      boolean seencomma = false;
      while (i >= matchlen && !seencomma) {
        switch (a[i - matchlen]) {
          case ',':
            seencomma = true;
            break;
          case ' ':
          case '\r':
          case '\n':
          case '\f':
          case '\t':
            break;
          default:
            throw new IllegalArgumentException("Invalid permission: " +
                action);
        }
        i--;
      }

      // point i at the location of the comma minus one (or -1).
      i -= matchlen;
    }

    return mask;
  }

  /**
   * <p>Checks if this MBeanPermission object "implies" the
   * specified permission.</p>
   *
   * <p>More specifically, this method returns true if:</p>
   *
   * <ul>
   *
   * <li> <i>p</i> is an instance of MBeanPermission; and</li>
   *
   * <li> <i>p</i> has a null className or <i>p</i>'s className
   * matches this object's className; and</li>
   *
   * <li> <i>p</i> has a null member or <i>p</i>'s member matches this
   * object's member; and</li>
   *
   * <li> <i>p</i> has a null object name or <i>p</i>'s
   * object name matches this object's object name; and</li>
   *
   * <li> <i>p</i>'s actions are a subset of this object's actions</li>
   *
   * </ul>
   *
   * <p>If this object's className is "<code>*</code>", <i>p</i>'s
   * className always matches it.  If it is "<code>a.*</code>", <i>p</i>'s
   * className matches it if it begins with "<code>a.</code>".</p>
   *
   * <p>If this object's member is "<code>*</code>", <i>p</i>'s
   * member always matches it.</p>
   *
   * <p>If this object's objectName <i>n1</i> is an object name pattern,
   * <i>p</i>'s objectName <i>n2</i> matches it if
   * {@link ObjectName#equals <i>n1</i>.equals(<i>n2</i>)} or if
   * {@link ObjectName#apply <i>n1</i>.apply(<i>n2</i>)}.</p>
   *
   * <p>A permission that includes the <code>queryMBeans</code> action
   * is considered to include <code>queryNames</code> as well.</p>
   *
   * @param p the permission to check against.
   * @return true if the specified permission is implied by this object, false if not.
   */
  public boolean implies(Permission p) {
    if (!(p instanceof MBeanPermission)) {
      return false;
    }

    MBeanPermission that = (MBeanPermission) p;

    // Actions
    //
    // The actions in 'this' permission must be a
    // superset of the actions in 'that' permission
    //

        /* "queryMBeans" implies "queryNames" */
    if ((this.mask & QueryMBeans) == QueryMBeans) {
      if (((this.mask | QueryNames) & that.mask) != that.mask) {
        //System.out.println("action [with QueryNames] does not imply");
        return false;
      }
    } else {
      if ((this.mask & that.mask) != that.mask) {
        //System.out.println("action does not imply");
        return false;
      }
    }

    // Target name
    //
    // The 'className' check is true iff:
    // 1) the className in 'this' permission is omitted or "*", or
    // 2) the className in 'that' permission is omitted or "*", or
    // 3) the className in 'this' permission does pattern
    //    matching with the className in 'that' permission.
    //
    // The 'member' check is true iff:
    // 1) the member in 'this' permission is omitted or "*", or
    // 2) the member in 'that' permission is omitted or "*", or
    // 3) the member in 'this' permission equals the member in
    //    'that' permission.
    //
    // The 'object name' check is true iff:
    // 1) the object name in 'this' permission is omitted or "*:*", or
    // 2) the object name in 'that' permission is omitted or "*:*", or
    // 3) the object name in 'this' permission does pattern
    //    matching with the object name in 'that' permission.
    //

        /* Check if this.className implies that.className.

           If that.classNamePrefix is empty that means the className is
           irrelevant for this permission check.  Otherwise, we do not
           expect that "that" contains a wildcard, since it is a
           needed permission.  So we assume that.classNameExactMatch.  */

    if (that.classNamePrefix == null) {
      // bottom is implied
    } else if (this.classNamePrefix == null) {
      // bottom implies nothing but itself
      return false;
    } else if (this.classNameExactMatch) {
      if (!that.classNameExactMatch) {
        return false; // exact never implies wildcard
      }
      if (!that.classNamePrefix.equals(this.classNamePrefix)) {
        return false; // exact match fails
      }
    } else {
      // prefix match, works even if "that" is also a wildcard
      // e.g. a.* implies a.* and a.b.*
      if (!that.classNamePrefix.startsWith(this.classNamePrefix)) {
        return false;
      }
    }

        /* Check if this.member implies that.member */

    if (that.member == null) {
      // bottom is implied
    } else if (this.member == null) {
      // bottom implies nothing but itself
      return false;
    } else if (this.member.equals("*")) {
      // wildcard implies everything (including itself)
    } else if (!this.member.equals(that.member)) {
      return false;
    }

        /* Check if this.objectName implies that.objectName */

    if (that.objectName == null) {
      // bottom is implied
    } else if (this.objectName == null) {
      // bottom implies nothing but itself
      return false;
    } else if (!this.objectName.apply(that.objectName)) {
            /* ObjectName.apply returns false if that.objectName is a
               wildcard so we also allow equals for that case.  This
               never happens during real permission checks, but means
               the implies relation is reflexive.  */
      if (!this.objectName.equals(that.objectName)) {
        return false;
      }
    }

    return true;
  }

  /**
   * Checks two MBeanPermission objects for equality. Checks
   * that <i>obj</i> is an MBeanPermission, and has the same
   * name and actions as this object.
   * <P>
   *
   * @param obj the object we are testing for equality with this object.
   * @return true if obj is an MBeanPermission, and has the same name and actions as this
   * MBeanPermission object.
   */
  public boolean equals(Object obj) {
    if (obj == this) {
      return true;
    }

    if (!(obj instanceof MBeanPermission)) {
      return false;
    }

    MBeanPermission that = (MBeanPermission) obj;

    return (this.mask == that.mask) &&
        (this.getName().equals(that.getName()));
  }

  /**
   * Deserialize this object based on its name and actions.
   */
  private void readObject(ObjectInputStream in)
      throws IOException, ClassNotFoundException {
    in.defaultReadObject();
    parseName();
    parseActions();
  }
}
